fips191_22
FIPS PUB 191
Mechanisms
message authentication codes used for software or files,
use of secret key based electronic signature,
use of public key digital signature,
granular privilege mechanism,
appropriate access control settings (i.e. no unnecessary write permissions),
virus detection software,
workstations with no local storage (to prevent local storage of software and files),
workstations with no diskette drive/tape drive to prevent introduction of suspect software.
use of public key digital signatures.
2.2.5 Non-repudiation
Non-repudiation helps ensure that the entities in a communication cannot deny having
participated in all or part of the communication. When a major function of the LAN is electronic
mail, this service becomes very important. Non-repudiation with proof of origin gives the
receiver some confidence that the message indeed came from the named originator. The
nonrepudiation service can be provided through the use of public key cryptographic techniques
using digital signatures. See Section 2.2.4 Data and Message Integrity for a description and use
of digital signatures. The security mechanism that could be implemented to provide the non-
repudiation service is listed below.
Mechanisms
use of public key digital signatures.
2.2.6 Logging and Monitoring
This service performs two functions. The first is the detection of the occurrence of a threat.
(However, the detection does not occur in real time unless some type of real-time monitoring
capability is utilized.) Depending on the extensiveness of the logging, the detected event should
be traceable throughout the system. For example, when an intruder breaks into the system, the
log should indicate who was logged on to the system at the time, all sensitive files that had failed
accesses, all programs that had attempted executions, etc. It should also indicate sensitive files
and programs that were successfully accessed in this time period. It may be appropriate that
some areas of the LAN (workstations, fileservers, etc.) have some type of logging service.
The second function of this service is to provide system and network managers with statistics that
indicate that systems and the network as a whole are functioning properly. This can be done by
24